A vulnerability identified by a "security researcher" resulted in nearly $3 million being stolen from Kraken's treasury.
A vulnerability identified by a “security researcher” resulted in nearly $3 million being stolen from Kraken’s treasury. The cryptocurrency exchange Kraken has reported that the “security researchers” who discovered a flaw on their platform resorted to “extortion” after withdrawing approximately $3 million from the exchange’s treasury.
Nick Percoco, Chief Security Officer at Kraken, disclosed on the social media platform X (formerly Twitter) that the firm received a bug bounty alert from a security researcher on June 9 regarding a vulnerability that allowed users to artificially inflate their balances. According to Percoco, the bug “enabled a malicious actor, under certain conditions, to initiate a deposit and receive funds in their account without fully completing the deposit.” Kraken promptly addressed the issue upon receiving the report, ensuring that no user funds were affected. However, subsequent events raised significant concerns within Kraken’s team.
It was alleged that the security researcher disclosed the bug to two other individuals, who then “fraudulently” withdrew nearly $3 million from their Kraken accounts. “These funds were taken from Kraken’s treasury, not from client assets,” Percoco clarified. The initial bug report did not mention the transactions involving the other individuals, and when Kraken requested additional details, the researchers refused to comply.
“Instead, they demanded a call with their business development team (i.e., their sales representatives) and have not agreed to return any funds until we provide an estimated monetary value of the potential impact of this bug had it not been disclosed. This is not white-hat hacking; it is extortion!” stated Percoco.
Kraken did not reveal the identities of the researchers, but blockchain code editor Certik later reported on social media that it had identified several vulnerabilities within the exchange. Certik’s “multi-day testing” revealed that the bug could be exploited to create millions of dollars worth of cryptocurrency. “Millions of dollars can be deposited into ANY Kraken account. A significant amount of fabricated cryptocurrency (worth more than $1M USD) can be withdrawn and converted into legitimate cryptocurrencies. Moreover, no alerts were triggered during the multi-day testing period,” Certik explained. However, Certik claimed that the situation deteriorated after the initial conversation with Kraken. “Kraken’s security operations team THREATENED individual Certik employees to repay a MISMATCHED amount of cryptocurrency within an UNREASONABLE timeframe, even WITHOUT providing repayment addresses,” the X post added.
Bug bounty programs, utilized by numerous firms to enhance their security systems, invite third-party hackers, known as “white hats,” to identify vulnerabilities so the company can address them before malicious actors can exploit them. Kraken’s competitor, Coinbase, runs a similar program to identify vulnerabilities within their exchange.
To be eligible for a bounty, Kraken’s program requires third parties to identify the problem, exploit the minimum amount necessary to prove the bug, return the assets, and provide details of the vulnerability. Kraken stated in a blog post that since the security researchers did not adhere to these rules, they would not receive a bounty.
